Information processing apparatus, method and computer-readable medium

ABSTRACT

An information processing apparatus includes: a specification unit that specifies a phase of activity of terminals by comparing communication between terminals with a pattern held in advance; and a correlation analysis unit that determines whether or not a first terminal and a second terminal are carrying out activity cooperatively, by performing a correlation analysis of communication by the first terminal and communication by the second terminal, when the phase specified currently or in the past in respect of the first terminal and the phase specified currently or in the past in respect of the second terminal are the same.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation application of InternationalApplication PCT/JP2014/084691 filed on Dec. 26, 2014, claiming thebenefit of priority of the prior Japanese Patent Application No.JP2014-004055, filed on Jan. 14, 2014, and designated the U.S., theentire contents of which are incorporated herein by reference.

FIELD

The present disclosure relates to technology for managing terminalsconnected to a network.

BACKGROUND

In the prior art, a method has been proposed in which concern indexvalues are assigned to flows between hosts on a network, and an alarm isissued if the accumulated concern index values exceed a threshold value(see the specifications of U.S. Pat. No. 7,475,426 and U.S. Pat. No.7,185,368).

Furthermore, an attack method has also be reported in which, in order todelay the discovery of information leaks, exploitable informationacquired from within an organization is collected in a representativeinfected terminal within the organization, and is then sent outside (seeInformation-technology Promotion Agency, Japan (IPA), “Targeted serverattacks: Case studies and countermeasure reports”, [online], 20 Jan.2012, Information-technology Promotion Agency, Japan [retrieved 19 Dec.,2014], Internet <URL:http://www.ipa.go.jp/files/000024536.pdf>).Moreover, there is also a research report which discusses introducing anagent into a terminal in an organization and acquiring and analyzingcommunication contents and process information, etc., to determinewhether or not the terminal is participating in a botnet, and if theterminal is participating in a botnet, analyzing the role of theterminal in the botnet (see Hailong Wang, and one other, “Role-basedcollaborative information collection model for botnet detection”,[online], 17 May 2000, IEEE, [retrieved 19 Dec. 2014], Internet<URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5478475&isnumber=5478444>).

SUMMARY

One example of the present disclosure is an information processingapparatus, including: a comparison unit that compares a communication bya plurality of terminals with a pattern held in advance; a specificationunit that specifies a phase of activity of the terminals, in accordancewith a comparison result of comparison by the comparison unit; and acorrelation analysis unit that determines whether or not a firstterminal and a second terminal included in the plurality of terminalsare carrying out activity cooperatively, by performing a correlationanalysis of communication by the first terminal and communication by thesecond terminal, when a phase specified currently or in the past inrespect of the first terminal is the same as a phase specified currentlyor in the past in respect of the second terminal.

The present disclosure can be understood as an information processingapparatus, a system, a method executed by a computer, or a program whichis executed in a computer.

Furthermore, the present disclosure can also be understood as arecording medium on which such a program is recorded so as to bereadably by a computer, or other apparatus or machine, or the like.

Here, a recording medium which is readable by a computer, or the like,is a recording medium on which information, such as data or programs, isstored by an electrical, magnetic, optical, mechanical or chemicalaction, and which can be read by the computer, or the like.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic drawing showing a configuration of a systemrelating to an embodiment;

FIG. 2 is a diagram showing a hardware configuration of a networkmonitoring apparatus and a management server relating to the embodiment;

FIG. 3 is a diagram showing a schematic view of the functionalconfiguration of the network monitoring apparatus relating to theembodiment;

FIG. 4 is a diagram showing a model of malware activity transitions,which is used by a malware behavior detection engine according to theembodiment;

FIG. 5 is a flowchart showing an overview of a flow of detectionprocessing for each packet relating to the embodiment;

FIG. 6 is a flowchart (A) showing a flow of detection processingperformed by the malware behavior detection engine relating to theembodiment;

FIG. 7 is a flowchart (B) showing a flow of detection processingperformed by the malware behavior detection engine relating to theembodiment;

FIG. 8 is a flowchart (C) showing a flow of detection processingperformed by the malware behavior detection engine relating to theembodiment;

FIG. 9 is a diagram showing phases in an activity transition model andthe transitions therebetween, which are objects of monitoring in a firstcorrelation analysis according to the embodiment;

FIG. 10 is a diagram showing a transition to an exploration phase, whichis an object of monitoring in the second correlation analysis accordingto the embodiment;

FIG. 11 is a diagram showing a transition to an execution file downloadphase, which is an object of monitoring in the second correlationanalysis according to the embodiment;

FIG. 12 is a flowchart showing a flow of correlation analysis fordetermining a correlation between a communication relating to the attackphase and a communication relating to the execution file download phase;

FIG. 13 is a diagram showing a transition to a C&C exploration phase,which is an object of monitoring in the second correlation analysisaccording to the embodiment;

FIG. 14 is a diagram showing a transition to a C&C communication phase,which is an object of monitoring in the second correlation analysisaccording to the embodiment;

FIG. 15 is a diagram showing a transition to an attack phase, which isan object of monitoring in the second correlation analysis according tothe embodiment;

FIG. 16 is a flowchart showing a flow of a third correlation analysisprocess performed by the malware behavior detection engine relating tothe embodiment;

FIG. 17 is a flowchart showing a flow of a role estimation correlationanalysis process for the infection and invasion phase relating to theembodiment;

FIG. 18 is a diagram showing an aspect of the activity of a terminal ofwhich the role is estimated by the role estimation correlation analysisprocess for the infection and invasion phase according to theembodiment;

FIG. 19 is a flowchart showing a flow of a role estimation correlationanalysis process for the execution file download phase relating to theembodiment;

FIG. 20 is a diagram showing an aspect of the activity of a terminal ofwhich the role is estimated by the role estimation correlation analysisprocess for the execution file download phase according to theembodiment;

FIG. 21 is a flowchart showing a flow of a role estimation correlationanalysis process for the C&C communication phase relating to theembodiment;

FIG. 22 is a diagram showing an aspect of the activity of a terminal ofwhich the role is estimated by the role estimation correlation analysisprocess for the C&C communication phase according to the embodiment;

FIG. 23 is a flowchart showing a flow of a role estimation correlationanalysis process for the exploited information upload phase relating tothe embodiment;

FIG. 24 is a diagram showing an aspect of the activity of a terminal ofwhich the role is estimated by the role estimation correlation analysisprocess for the exploited information upload phase according to theembodiment; and

FIG. 25 is a schematic drawing showing a variation of the configurationof a system relating to the embodiment.

DESCRIPTION OF EMBODIMENTS

Below, embodiments of the information processing apparatus and themethod and program relating to the present disclosure are describedbelow on the basis of the drawings.

However, the embodiments given below are merely examples and theinformation processing apparatus and the method and program relating tothe present disclosure are not limited to the specific configurationgiven below.

In implementing the disclosure, the concrete configurationscorresponding to the embodiments can be adopted, as appropriate, andvarious improvements and modifications can be made.

In the present embodiment, the information processing apparatus, methodand program relating to the present disclosure are described on thebasis of an embodiment implemented in a system in which a terminalcarrying out an unauthorized activity on a network is discovered andmeasures such as blocking communications or issuing an alert, etc. areimplemented. The information processing apparatus, method and programrelating to the present disclosure can be applied widely to technologyfor detecting unauthorized activity on a network, and the object ofapplication of the disclosure is not limited to the example given in thepresent embodiment.

<System Configuration>

FIG. 1 is a schematic drawing showing the configuration of a system 1relating to the present embodiment. The system 1 relating to the presentembodiment includes a network segment 2 to which a plurality ofinformation processing terminals 90 (called “nodes 90” below) areconnected, and a network monitoring apparatus 20 for monitoringcommunications relating to the nodes 90. Furthermore, the managementserver 50 is connected so as to be able to communicate with the networksegment 2 via a router 10. In the present embodiment, the networkmonitoring apparatus 20 acquires packets, and frames, etc. sent andreceived by the nodes 90, by connecting with a monitoring port (mirrorport) of the switch or router (the router in the example shown in FIG.1). In this case, the network monitoring apparatus 20 operates in apassive mode and does not transfer the acquired packets.

The management server 50 gathers information from the network monitoringapparatus 20 and manages the network monitoring apparatus 20. Aquarantine server may also be provided in the external network, and aquarantine service may be provided to the nodes 90 connected to thenetwork segment 2, and a business server may also be provided and aservice for business may be provided to the nodes 90 (not illustrated inthe drawings).

In the system 1 relating to the present embodiment, the various serversconnected from the nodes 90 are connected remotely via the Internet or awide-area network, for example, the servers are presented by anapplication service provider (ASP), but these servers do not necessarilyhave to be connected remotely. For example, the servers may also beconnected to a local network in which the nodes 90 and the networkmonitoring apparatus 20 are situated.

FIG. 2 is a diagram showing a hardware configuration of a networkmonitoring apparatus 20 and a management server 50 relating to thepresent embodiment. In FIG. 2, the configuration apart from the networkmonitoring apparatus 20 and the management server 50 (namely, the router10, nodes 90, etc.) is not illustrated. The network monitoring apparatus20 and the management server 50 are, respectively, computers including acentral processing unit (CPU) 11 a, 11 b, a random access memory (RAM)13 a, 13 b, a read only memory (ROM) 12 a, 12 b, a storage apparatus 14a, 14 b, such as an electrically erasable and programmable read onlymemory (EEPROM) or a hard disk drive (HDD), a communication unit such asa network interface card (NIC) 15 a, 15 b, and the like.

FIG. 3 is a diagram showing a schematic view of the functionalconfiguration of a network monitoring apparatus 20 relating to thepresent embodiment. In FIG. 3, the configuration apart from the networkmonitoring apparatus 20 (namely, the router 10, nodes 90 and managementserver 50, etc.) is not illustrated. The network monitoring apparatus 20functions as an information processing apparatus including acommunication acquisition unit 21, a communication blocking unit 22, anapplication detection engine 23, a protocol anomaly detection engine 24and a malware behavior detection engine 25, by means of a programrecorded in the storage apparatus 14 a being read out from the RAM 13 aand executed in the CPU 11 a. Furthermore, the malware behaviordetection engine 25 includes a comparison unit 251, an evaluated valueacquisition unit 252, a correction unit 253, a specification unit 254, aholding unit 255, a totalizing unit 256, a determination unit 257, acorrelation analysis unit 258, and a role estimation unit 259. In thepresent embodiment, the various functions provided in the networkmonitoring apparatus 20 are executed by the CPU 11 a, which is a genericprocessor, but all or a part of these functions may be executed by oneor a plurality of special processors. Furthermore, all or a part ofthese functions may be executed by a remotely situated apparatus, or aplurality of apparatuses in disperse locations, by using cloudtechnology, or the like.

The communication acquisition unit 21 acquires communication sent andreceived by terminals connected to the network. In the presentembodiment, a “terminal” which is the object of monitoring and detectionby the network monitoring apparatus 20 includes the nodes 90 which areconnected to the network segment 2 and other apparatuses (nodesbelonging to other networks, external servers, etc.) which communicatewith the nodes 90 via the router 10.

The communication blocking unit 22 blocks a communication by a terminal,if it is determined by the application detection engine 23, the protocolanomaly detection engine 24 or the malware behavior detection engine 25that the terminal in question is used to conduct an unauthorizedactivity. In the present embodiment, an example is described in which acountermeasure for blocking the communication by the terminal isapplied, if it is determined that the terminal in question is used toconduct an unauthorized activity, but the method of the countermeasureadopted when it is determined that a terminal is used to conduct anunauthorized activity is not limited to blocking of the communication.Upon determining that a terminal is used to conduct an unauthorizedactivity, the network monitoring apparatus 20 may issue an alert(warning) or implement a cure (for example, removal of malware,elimination of vulnerabilities) in the terminal conducting theunauthorized activity.

The application detection engine 23 is an engine which detects when anapplication, which is used by malware and is not required for business,is carrying out communication on the network; for example, theapplication detection engine 23 detects that an application not requiredfor business is running on a node 90 by detecting communication based onthe known remote access Trojan (RAT), peer-to-peer (P2P) applications,the onion router (Tor), UltraSurf (Proxy tool) and anonymous proxies,etc.

The protocol anomaly detection engine 24 is an engine which detectscommunication that does not follow protocols on the network, forexample, an HTTP anomaly detection engine, an SSL/TLS anomaly detectionengine or a DNS anomaly detection engine, or the like. By detecting acommunication that does not follow these protocols, the protocol anomalydetection engine 24 detects a node 90 which is used to conduct acommunication that does not observe the protocols on the network.

The malware behavior detection engine 25 evaluates the commonalitybetween a communication on the network, and a “communication patterncharacteristic of malware”, for each phase of unauthorized activity bymalware, these phases being defined in a malware activity transitionmodel, analyzes malware behavior by monitoring the state of transitionsbetween phases of malware activity, and thereby detects malwareinfection in a node 90.

FIG. 4 is a diagram showing a model of malware activity transitions,which is used by the malware behavior detection engine 25 of the presentembodiment. Phase P1 to phase P8 are defined in the malware activitytransition model shown in the present embodiment, but this is oneexample used in the present embodiment and the malware activitytransition model may be modified, as appropriate, in accordance with theembodiment. Below, each phase in the malware activity transition modelrelating to the present embodiment will be described.

Phase P1 is an infiltration phase, in other words, a phase whereinfecting malicious content (malicious code, attack code, exploit code,etc.) is downloaded by utilizing a vulnerability in the OS orapplications, when, for instance, a file attachment or an e-mail URL ina targeted e-mail attack is clicked, or a URL on a web site (mainly, anSNS site) is clicked, and so on. The transition destination from phaseP1 is either phase P2, phase P4 or phase P8 in the case of an autonomousmalware infiltration, such as a worm, and is either phase P2 or phase P4in the case of bot-type malware.

Phase P2 is an exploration phase, in other words, a phase of exploringan infected terminal which has a vulnerability.

Phase P3 is an infection and invasion phase (diffusion phase), in otherwords, a phase of targeting the vulnerability to introduce an exploitcode to infect the terminal, or causing an exploit code to be introducedfrom another terminal to infect the terminal. In the infection andinvasion phase, an exploit code is introduced into the targeted terminalvia an already infected terminal, and the terminal into which theexploit code has been introduced becomes infected with the malware. Forexample, a diffusion activity is performed by utilizing an MS-RPC orfile sharing vulnerability in the Windows OS. In the case of bot-typemalware, an infection activity (malware diffusion activity) is executedbased on a command issued by an attacker (herder) via a command andcontrol (C&C) server (phase P6). The transition destination from phaseP3 is either phase P4 or phase P8 in the case of autonomous malware,such as a worm, and phase P4 in the case of bot-type malware. Theinfection and invasion phase has two aspects. One is a phase in which aninfecting terminal executes an infection activity. Another aspect is aphase in which an exploit code is introduced to infect a victim(infection target) terminal.

Phase P4 is an execution file download phase, in other words, a phase inwhich, after introduction of the exploit code, the execution file, whichis the actual malware in itself, is downloaded and activated from amalware delivery site or from an already infected terminal, or newmalware is downloaded from a site designated by a command from theattacker (via a C&C server), with the object of avoiding detection ofthe malware by anti-virus products and/or adding new functions, and soon. The HTTP, FTP or TFTP protocol are used principally for downloadingthe malware in itself. Furthermore, a protocol that is unique to themalware may also be used. The transition destination from phase P4 iseither phase P5 or phase P6 in the case of remote-controlled malware,such as a bot, and is generally phase P2 or phase P8 in the case ofautonomous malware, such as a worm.

Phase P5 is a C&C exploration phase, in other words, a phase ofexploring the C&C server in order to receive a command from an attacker.Malware which transfers to this phase is principally remote-controlledmalware, such as a bot. Generally, the FQDN of a plurality of C&Cservers are incorporated into malware and a DNS query is used to resolvethe address. In the case of a P2P-type botnet, a P2P protocol (genericor unique protocol) is used to search for the C&C node. Malware of atype which has a hard-coded IP address is not active in this phase. Thetransfer destination from phase P5 is phase P6.

The phase P6 is a C&C communication phase (including Internet connectioncheck), in other words, a phase in which data is sent and received inconnection with the C&C server, in order to receive commands from theattacker and to report the command execution results (respond), and thelike. There also exists malware which checks the Internet connectionbefore connecting to the C&C server. In the connection to the C&Cserver, any of the IP addresses which were successfully resolved inphase P5 or any of the IP addresses which are hard-coded in the malwareare used. When a command is received from the C&C server, the malwareactivity transfers from phase P6 to phase P2, phase P4 or phase P8, inaccordance with the commands from the attacker. The execution resultsare reported to the attacker via the C&C server. On the other hand, ifthe malware fails to connect to the C&C server, then the malware retriesconnection with another IP address, and if this fails also, then themalware returns to phase P5 and either searches for another C&C serveror stops activity. The existence of malware which repeatedly andendlessly reconnects until the connection is successful is alsoreported. Furthermore, if an abnormality occurs in the C&C communicationpath and recovery is not possible, then the malware activity transfersto phase P5. Moreover, there is also malware which performs an operationof changing the C&C server at prescribed time intervals, and in thiscase, the malware activity transfers to phase P5. Furthermore, phase P6includes a phase of waiting for an instruction from the attacker. Themalware periodically accesses the C&C server to maintain thecommunication path, and also waits for a command from the attacker.There is also malware which performs an operation of changing the C&Cserver at prescribed time intervals, and in this case, the malwareactivity transfers to phase P5.

Phase P7 is an exploit information upload phase, in other words, a phasein which information obtained by the activity of the malware, etc. isuploaded to a server, or the like, on the attacker side.

Phase P8 is an attack activity phase, in other words, a phase in whichvarious attack activities are carried out in accordance with a commandfrom the attacker (bot type) or the exploit code (worm type) which isincorporated into the malware. Activity corresponding to phase P1 may becarried out in order to find an attack target. Attack activitiesinclude: DoS attacks, spam mail attacks, Web attacks (Webfalsification), stepping stones, etc.

The malware behavior detection engine 25 has a comparison unit 251, anevaluated value acquisition unit 252, a correction unit 253, aspecification unit 254, a holding unit 255, a totalizing unit 256, adetermination unit 257, and the correlation analysis unit 258, and arole estimation unit 259 (see FIG. 3) and hence the malware behaviordetection engine 25 monitors the transitional states between the phasesof malware activity which are defined as described above, and detects amalware infection in the nodes 90. Below, the respective functionalunits of the malware behavior detection engine 25 will be described.

The comparison unit 251 compares communication newly acquired by thecommunication acquisition unit 21 (packets, which have been newlyacquired and become the object of processing; hereinafter, called “inputpackets”), with previously held communication patterns. Peculiarcommunication patterns which appear as a result of various malwareactivities are previously defined in the held communication patterns. Inthe present embodiment, a plurality of communication patterns aredefined in advance for each of the phases of the malware activitytransition model, and are held in the network monitoring apparatus 20 orthe management server. A communication pattern relating to phase Pn(here, n is an integer from 1 to 7) is expressed as “Pn−m” (where m isnumber equal to or greater than 1). It should be noted that there arealso communication patterns which are not dependent on any of the phases(in other words, which may appear in a plurality of different phases).In the present embodiment, a communication pattern which is notdependent on any of the phases P1 to P8 is expressed as “P0−m”.

As a result of the comparison by the comparison unit 251, the evaluatedvalue acquisition unit 252 acquires a grade for the input packet, in theform of a grade (evaluated value) which is previously set in respect ofa communication pattern which matches or approximates the input packet(such a packet is referred to simply as a “corresponding” communicationpattern below). The grade (Gr) is a value which indicates the “extent towhich the terminal is inferred to be carrying out unauthorized activity(malware activity)”, and which is assigned to the individualcommunication patterns. In the present embodiment, the grade (Gr) is inthe range of 0≦Gr<1.0 (fraction to one decimal point). Grade (Gr)=0indicates the lowest possibility of the communication pattern occurringas a result of malware activity, and the closer the value of the gradeto 1, the higher the possibility that the communication pattern hasoccurred as a result of malware activity. The grade (Gr) is specified inadvance for each communication pattern, on the basis of the frequency ofappearance as a communication pattern in a normal application. In otherwords, a grade of a higher value is assigned to a communication whichhas a low possibility of appearing as a communication resulting from anauthorized application, and a lower grade is assigned to a communicationwhich has a high possibility of appearing as a communication resultingfrom an authorized application. In the present embodiment, a grade setin advance for the communication pattern Pn−m is expressed as “Gr(Pn−m)”and a grade assigned to a terminal (h) which carries out thecommunication in question is expressed as “Gr(h, Pn−m)”.

Even with the same communication pattern, different grades (Gr) areassigned based on the conditions. For example, if two conditionsassociated with a communication pattern “A: destination does not match aC&C server” and “B: destination matches one C&C server” are set, thenthe conditions are determined as indicated below, and different gradesare assigned depending on whether or not the destination matches aregistered C&C server.

IF (Pn−m=TRUE) AND (A) THEN Gr(Pn−m)=0.1, ACTION=register in C&C servercandidate list

IF (Pn−m=TRUE) AND (B) THEN Gr(Pn−m)=0.6, ACTION=No

Moreover, in the present embodiment, the evaluated value acquisitionunit 252 acquires a grade in accordance with the results of acorrelation analysis between the input packet, and other packets sent orreceived before or after the input packet by a terminal relating to theinput packet (called “preceding packets” and “subsequent packets”below). More specifically, in the present embodiment, the evaluatedvalue acquisition unit 252 determines whether or not there is continuitybetween a phase acquired in respect of a communication (input packet)acquired by the communication acquisition unit 21 and a phase acquiredin respect of another communication (preceding packet or subsequentpacket) carried out before or after the communication in question, inrespect of the terminal relating to the communication in question, andacquires a grade if it is determined that there is continuity.

The correction unit 253 corrects the grade acquired by the evaluatedvalue acquisition unit 252, in accordance with the results of acorrelation analysis between the input packet and the preceding packetor subsequent packet. More specifically, in the present embodiment, thecorrection unit 253 determines whether or not there is continuitybetween a phase acquired in respect of a communication (input packet)acquired by the communication acquisition unit 21 and a phase acquiredin respect of another communication (preceding packet or subsequentpacket) carried out before or after the communication in question, inrespect of the terminal relating to the communication in question, andcorrects the grade acquired by the evaluated value acquisition unit 252so as to be larger, if it is determined that there is continuity,compared to when it is determined that there is no continuity.

In other words, in the present embodiment, by means of the evaluatedvalue acquisition unit 252 and the correction unit 253, a correlationanalysis is carried out between a newly acquired communication (inputpacket) and a past or future communication (preceding packet orsubsequent packet) by the terminal relating to the communication inquestion, and if it is considered that there is “continuity of a kindwhich raises the extent to which the communication is inferred to bemalware activity”, between the input packet and the preceding packet orsubsequent packet, then the grade corresponding to the past or futurecommunication (preceding packet or subsequent packet) is acquired, andthe grade corresponding to the newly acquired communication (inputpacket) is corrected.

The specification unit 254 specifies the phase and grade relating to theterminal in question, in respect of the input packet. The specificationunit 254 specifies the phase Pn which is set in advance in respect ofthe communication pattern Pn−m corresponding to the input packet, basedon the comparison by the comparison unit 251, to be the phase relatingto the terminal in question. Furthermore, the specification unit 254 mayspecify the grade Gr (Pn−m) acquired by the evaluated value acquisitionunit 252, directly, as the grade for the input packet, but if the gradeis corrected by the correction unit 253, then the specification unit 254specifies the corrected value as the grade for the input packet.

The holding unit 255 holds the maximum values of the specified gradesfor each phase, for each of the terminals. In the present embodiment,for each phase Pn of the malware activity transition model, the holdingunit 255 holds the maximum value of the grade Gr(Pn−m) for thecommunication pattern Pn−m detected in respect of the phase Pn inquestion, as the grade for the phase Pn, and expresses same as“PGr(Pn)”. The grade for the phase Pn in the terminal (h) is expressedas “PGr(h,Pn)” and is acquired by the following equation.

PGr(h,Pn)=max {Gr(Pn−m)|Pn−mεh}

In the present embodiment, the holding unit 255 uses a grade managementtable holding the maximum grade value for each phase, and each terminal,to manage the grade of each phase, in each terminal (not illustrated). Agrade PGr(h,Pn) for each phase Pn is held in the grade management table,for each of the terminals (h) identified by the network monitoringapparatus 20. As described above, the grade PGr(h,Pn) for each phase Pnis the maximum value of the grades Gr(Pn−m) for the detectedcommunication patterns Pn−m in respect of the phase Pn in question.Therefore, when a new grade is specified in respect of any phase, thegrade PGr(h,Pn) held in the grade management table is compared with thenewly specified grade and updated to the maximum value. The maximumvalue Gr(h,Pn−m) of the grade Gr(Pn−m) for each communication patternPn−m is also held in the storage apparatus 14 a.

The totalizing unit 256 acquires the maximum values PGr(h,Pn) of thegrades of the respective phases from phase P1 to phase P8, for eachterminal, and totalizes these maximum values.

The determination unit 257 determines whether or not the terminal iscarrying out unauthorized activity, based on the maximum valuesPGr(h,Pn) of the grades for each phase, in the terminal (h) that is theprocessing object. In the present embodiment, the determination unit 257determines whether or not the terminal is carrying out unauthorizedactivity on the basis of the total value obtained by the totalizing unit256. More specifically, the determination unit 257 applies a prescribedweighting to the total value, to calculate a “value indicating thedegree of possibility of activity by malware” (called “possibility ofmalware activity” below), and if this value exceeds a prescribedthreshold value, then the determination unit 257 determines that theterminal in question is carrying out unauthorized activity. Thepossibility of malware activity for the terminal (h) indicates thedegree of possibility that the terminal (h) is infected by malware, andis expressed as “IR(h)”. The possibility of malware activity for theterminal (h) takes a value between 0 (no infection) to 100 (highpossibility of infection). In other words, in the present embodiment,the possibility of malware activity for the terminal (h) is defined asindicated below. Here, ψ indicates the malware activity coefficient.

IR(h)=min((φΣ_(n=1) ⁸ PGr(h,Pn)),1)×100

In general, a terminal in which communication patterns are detected in alarge number of (continuous) phases in the activity transition model canbe determined as having a higher possibility of being infected withmalware, than a terminal in which communication patterns are detected ina small number of phases, and therefore a malware activity coefficient ψis introduced (in the present embodiment, the coefficient is setspecifically to a value of 0.5). The possibility of malware activityIR(h) described above is calculated and updated each time acommunication pattern corresponding to the communication patternsrelating to the terminal (h) is detected.

In the present embodiment, a terminal having a possibility of malwareactivity of 0 to 49 is defined as a “clean terminal”, a terminal havinga possibility of malware activity of 50 to 89 is defined as a “greyterminal”, and a terminal having a possibility of malware activity of 90to 100 is defined as a “black terminal”. The possibility of malwareactivity and the definition “clean”, “grey” or “black” is displayed foreach terminal, as a real-time report information, on a management screen(device list screen) of an administrator terminal. Furthermore, anoverview of the detected “communication patterns” and a list indicatingthe number of times each pattern has been detected is displayed for eachterminal, as detailed information. The threshold values of the “clean”,“grey” and “black” definitions relating to the possibility of malwareactivity may be set by the administrator.

The correlation analysis unit 258 analyses the correlation between aninput packet and other packets (preceding packets or subsequent packets)which are sent or received before or after the input packet by aterminal relating to the input packet. More specifically, thecorrelation analysis which is carried out in the present embodimentinvolves analyzing the presence or extent of correlation, such ascontinuity or commonality, etc., between two or more communications, orbetween two or more phases, and the result of correlation analysis isused by the evaluated value acquisition unit 252, the correction unit253, and the determination unit 257. For example, the correlationanalysis unit 258, by carrying out correlation analysis between a firstcommunication that is determined to be in the infiltration phase P1, anda second communication that is determined to be in an execution filedownload phase, by means of the specification unit 254, determines thepresence or the extent of a correlation between the download of contentby the first communication and the download of an execution file by thesecond communication. Apart from this, the specific method of thecorrelation analysis is described hereinafter.

Furthermore, when the phase specified currently or in the past for afirst terminal in which a communication has been detected, and the phasespecified currently or in the past for a second terminal, are common(the same), then the correlation analysis unit 258 determines whether ornot the first terminal and the second terminal are carrying out activitycooperatively, by performing a correlation analysis between thecommunication by the first terminal and the communication by the secondterminal. In this, the correlation analysis unit 258 determines whetheror not the first terminal and the second terminal are carrying outactivity cooperatively, by determining the presence or extent ofcontinuity or relationship between the communication by the firstterminal and the communication by the second terminal. The details ofthe correlation analysis between communications by different terminalsis described below in “(3) Correlation analysis for role estimation)”.

The role estimation unit 259 estimates the role in the activity in thephase in question, of the first terminal or the second terminal that hasbeen determined to be operating cooperatively by the correlationanalysis unit 258.

<Flow of Processing>

Next, the flow of processing executed by the system 1 relating to thepresent embodiment will be described with reference to a flowchart. Thespecific contents of the processing and the processing sequenceindicated in the flowchart described below are examples for implementingthe present disclosure. The specific contents of the processing and theprocessing sequence may be selected, as appropriate, in accordance withthe mode of implementing the present disclosure.

When the network monitoring apparatus 20 is connected to a new network,before starting a detection process for each packet as described below,the network monitoring apparatus 20 executes a network configurationanalysis/learning process, as preliminary processing. More specifically,when connected to a new network, the network monitoring apparatus 20acquires packets for a prescribed period of time, and by analyzing theacquired packets, analyzes the configuration of the network that is theobject of monitoring, learns the information required for malwaredetection (a device list (device types, OS types, MAC/IP addresses,etc.), the address system of the network that is the object ofmonitoring, the DNS server information, mail server information proxy(HTTP/SOCKS) information, Active Directory information, etc.), andstores same in the storage apparatus 14 a, or the like.

The network configuration analysis/learning process is executed by thenetwork monitoring apparatus 20 continuously from the detection processdescribed below has started. In other words, the network monitoringapparatus 20 compares the information obtained by analyzing the acquiredpackets with information learnt by the abovementioned analysis/learningprocess, and held in the storage apparatus 14 a of the networkmonitoring apparatus 20, and if, as a result of this comparison, thenewly obtained information is different from the held information, thenthe network monitoring apparatus 20 determines that the configuration inthe network segment 2 has changed, and uses the newly obtainedinformation to update the information held in the storage apparatus 14 aof the network monitoring apparatus 20.

FIG. 5 is a flowchart showing an overview of the flow of detectionprocessing for each packet relating to the present embodiment. Thedetection processing relating to the present embodiment is executed bythe network monitoring apparatus 20 whenever a packet (or datacomprising a plurality of packets) passing over the network is acquired.

In step S001, pre-processing for packet analysis is executed. When a newcommunication (input packet) is acquired by the communicationacquisition unit 21, the network monitoring apparatus 20 shapes andclassifies the input packet, and associates the packet with a validexisting flow. Furthermore, the network monitoring apparatus 20classifies the input packets and associates same with an existing flow,in terminal units, (transmission source/destination IP address (MACaddress) units), and protocol units (TCP/UDP, ICMP, DNS, HTTP, HTTPS,IRC, FTP, TFTP, SOCKS, NetBIOS, etc.). Thereupon, the processingadvances to step S002.

From step S002 to step S005, processing is carried out by theapplication detection engine 23 and the protocol anomaly detectionengine 24. The network monitoring apparatus 20 relating to the presentembodiment uses detection engines (detection programs) of the threetypes described above to detect an unauthorized communication by aterminal connected to the network, but in the present embodiment, uponacquiring a packet, the network monitoring apparatus 20 implementsdetection by the application detection engine 23 and the protocolanomaly detection engine 24, and then implements detection by themalware behavior detection engine 25. In other words, in the presentembodiment, the malware behavior detection engine 25 determines whetheror not a node 90 is used to conduct unauthorized activity based oncommunication which has not been detected as an unauthorizedcommunication by the other detection units (the application detectionengine 23 and the protocol anomaly detection engine 24). By adoptingthis composition, according to the present embodiment, the number ofpackets processed by the malware behavior detection engine 25 isreduced, and the load created by the operation of the behavior detectionengine can be reduced. However, the malware behavior detection engine 25may operate independently, or may operate in combination with the otherdetection engines. Furthermore, the processing sequence of the detectionengine when the packets are acquired is not limited to the exampleindicated in the present embodiment.

When an unnecessary application is detected by the application detectionengine 23 or when a protocol anomaly is detected by the protocol anomalydetection engine 24, the processing advances to step S012, and blockingis implemented or an alert is issued. On the other hand, if anunnecessary application or a protocol anomaly is not detected, then theprocessing advances to step S006. In the flow chart, the processing fromstep S006 to step S011 in this flowchart corresponds to the processingperformed by the malware behavior detection engine 25.

In step S006, a communication pattern judgment process is carried out.The comparison unit 251 determines the commonality between the inputpacket and a previously defined communication pattern (Pn−m), bycomparing the input pack and the previously defined communicationpattern (Pn−m). Here, if it is determined that there is commonalitybetween the communication pattern (Pn−m), then the phase in the activitytransition model of the terminal (h) relating to the input packets isspecified as the phase Pn(h). Furthermore, the evaluated valueacquisition unit 252 acquires, as a result of the determination, thegrade Gr (Pn−m) of the communication pattern determined to be matchingor approximate (corresponding), to be the grade Gr(h,Pm−m) for the inputpacket in association with the terminal (h). Moreover, the networkmonitoring apparatus 20 registers the transmission source terminal orthe destination terminal of the communication in question, in a “malwaredelivery server candidate list” or “C&C server candidate list”, based onthe detected communication pattern. Here, a determination and evaluationis made in with respect to the communication patterns of all phases, bytaking account of lost packets. In order to associate with the existingdetermined flow, a determination is not made with regard to an inputpacket which does not require an additional determination process, andonly updating of the statistical information is carried out. Thereupon,the processing advances to step S007.

In step S007, a first correlation analysis is carried out. The evaluatedvalue acquisition unit 252 picks up a C&C communication which cannot bedetected in step S006. The evaluated value acquisition unit 252 picks upa communication which has triggered a transition to the explorationphase P2, the infection and invasion phase P3, the execution filedownload phase P4 and the attack activity phase P8, and the networkmonitoring apparatus 20 registers the transmission source terminal orthe destination terminal of the communication in question, in the C&Cserver candidate list. The Contents of processing of the firstcorrelation analysis are described below with reference to FIG. 6 toFIG. 8 and FIG. 9. Thereupon, the processing advances to step S008.

In step S008, a second correlation analysis is carried out. Thecorrection unit 253 analyzes the correlation between the continuity ofthe phase which was active immediately before, and the behavior ofanother (infected) terminal, in respect of the activity phase Pn(h) ofthe terminal (h) determined in step S006. If, as a result of thisanalysis, a communication pattern having a high risk of malware behavioris discovered, then the correction unit 253 corrects the gradeGr(h,Pn−m) of the communication pattern (Pn−m) in the terminal (h)determined in step S0006, using the following equation, and assigns ahigher grade.

Gr(h,Pn−m)=θ·Gr(h,Pn−m)

Here, the malware behavior similarity coefficient θ is in the range of1.0 to 2.0. Here, 1.0 means “no similarity”. The contents of processingof the second correlation analysis, and the malware behavior similaritycoefficient —0 are described below with reference to FIG. 6 to FIG. 8and FIG. 10 to FIG. 15. Thereupon, the processing advances to step S009.

In step S009, grades (PGr) are specified for the activity phases. Thespecification unit 254 specifies a grade PGr(h,Pn)i for a phase Pn, fromthe grade Gr(h, Pn−m) of the communication pattern in the correspondingterminal h, based on the processing results from step S006 to step S008.Here, PGr(h, Pn)i−1 indicates the grade for the phase Pn up to theprevious processing.

PGr(h,Pn)i=max{PGr(h,Pn)i−1,Gr(h,Pn−m)}

Thereupon, the processing advances to step S010.

In step S010, the possibility of malware activity (IR(h)) is calculated.The totalizing unit 256 and the determination unit 257 calculate thepossibility of malware activity IR(h) for the terminal h. The specificcalculation method is as described above in the explanation relating tothe totalizing unit 256 and the determination unit 257. Thereupon, theprocessing advances to step S011.

In step S011 and step S012, if the possibility of malware activity IR(h)is equal to or greater than a prescribed threshold value, then acountermeasure, such as blocking of the terminal or issuing of anadministrator alert, is carried out. The determination unit 257determines whether or not the possibility of malware activity in theterminal calculated in step S010 is equal to or greater than theprescribed threshold value representing “black” (step S011). If thepossibility of malware activity is “black”, then the communicationblocking unit 22 carries out a countermeasure, such as blocking thecommunication by the terminal in question, or issuing an alert to theadministrator (step S012). Furthermore, if the possibility of malwareactivity is “grey”, then the network monitoring apparatus 20 may issuean alert to the administrator. If the possibility of malware activity is“clean”, then a countermeasure such as blocking or issuing an alert isnot carried out. Subsequently, the processing indicated in the flowchartis terminated.

FIG. 6 to FIG. 8 is a flowchart showing a flow of a detection processperformed by the malware behavior detection engine 25 relating to thepresent embodiment. The flowchart gives a more detailed explanation ofthe processing from step S006 to step S012 of the detection processingdescribed in relation to FIG. 5. More specifically, step S101 to stepS103 give a more detailed explanation of the communication patterndetermination processing described in step S006 in FIG. 5; step S104 tostep S110 give a more detailed explanation of the first correlationanalysis processing described in step S007; step S111 to step S116 givea more detailed explanation of the second correlation analysisprocessing described in step S008; and step S117 to step S120 give amore detailed explanation of the grade specification processing foractivity phases described in step S009. Furthermore, step S121corresponds to step S010 in FIG. 5, and step S122 and step S123correspond to step S011 and step S012.

In step S101 and step S102, it is determined whether or not the acquiredpacket (input packet) corresponds to any of the previously definedcommunication patterns. The comparison unit 251 determines thecommonality between the input packet and a previously definedcommunication pattern (Pn−m), by comparing the input packet and thepreviously held communication pattern. As a result of thisdetermination, if it is determined that the input packet does notcorrespond to any communication pattern, then the processing relating tothe packet in question is terminated, and the processing indicated inthe flowchart is terminated. On the other hand, if it is determined thatthe packet does correspond to any one of the communication patterns,then the processing advances to step S103.

In step S103, the fact that a communication pattern (Pn−m) determined tobe corresponding has been detected is recorded in relation to theterminal relating to the input packet. Furthermore, the evaluated valueacquisition unit 252 acquires the phase Pn to which the communicationpattern (Pn−m) corresponding to the input packet belongs, and the gradeGr (Pn−m) set in advance for the communication pattern (Pn−m),respectively, as the phase Pn(h) in the terminal (h) relating to theinput packet and the grade Gr(h, Pn−m) for the phase in question.Thereupon, the processing advances to step S104.

In step S104 and step S105, if required conditions are set for thecommunication pattern corresponding to the input packet, then it isdetermined whether or not a communication corresponding to the requiredconditions has been acquired in the past. If required conditions havenot been set, then the processing advances to step S107. Here, therequired conditions are conditions for deciding whether or not a gradeGr(Pn−m) set in advance for a communication pattern (Pn−m) determined tocorrespond to the input packet in step S101 may be specified as thegrade Gr(h, Pn−m) for the phase Pn(h) of the terminal (h) relating tothe input packet in question. For example, a communication pattern of“P6-4: HTTP communication (proxy/non-proxy) having HTTP standard port(80) as the destination port” is a general communication in HTTP, and anrequired condition for this communication pattern is that any of the“HTTP malicious communication patterns” defined in “P0-1 to P0-15” isdetected. Therefore, if these required conditions are satisfied, thenthe grade Gr(h, P6-4) of the communication pattern P6-4 is specified inrespect of the input packet, and if the required conditions are notsatisfied, then the grade Gr(h, P6-4) of the communication pattern P6-4is not specified in respect of the input packet.

In other words, the evaluated value acquisition unit 252 determineswhether or not there is continuity between the phase acquired in respectof the input packet and the phase acquired in respect of anothercommunication (preceding packet) carried out before the communication inquestion, in respect of the terminal relating to the communication inquestion, by determining whether or not a communication acquired in thepast satisfies the required conditions. If it is determined that therequired conditions are not satisfied, then the processing advances tostep S106, and the grade of the input packet is set to 0 (zero). On theother hand, if it is determined that the required conditions aresatisfied, then the processing advances to step S107.

In step S107, grades are assigned for the phases in the terminalrelating to the input packet. The evaluated value acquisition unit 252acquires a grade Gr(Pn−m) previously defined for the communicationpattern Pn−m which is determined to be corresponding, in respect of theinput packet, and sets same as the grade Gr(h,Pn−m) for the phase Pn(h)in the terminal (h). Thereupon, the processing advances to step S108.

In step S108, it is determined whether or not the input packetcorresponds to the required conditions of a communication patterndetected in the past. In other words, in step S108, at the current time,which corresponds to the future from the viewpoint of a communicationacquired in the past (preceding packet), it is determined whether or nota communication (input packet) corresponding to the required conditionshas been detected. The evaluated value acquisition unit 252 determineswhether or not a communication pattern has been detected in the past,for which the communication pattern of the input packet has been set asa required condition. As a result of this determination, if acommunication pattern having the communication pattern relating to theinput packet as a required condition has not been detected in the past,the processing advances to step S111. On the other hand, if, as a resultof this determination, a communication pattern having the communicationpattern relating to the input packet as a required condition has notbeen detected in the past, the processing advances to step S110.

In step S110, grades are assigned for the phase of the communicationacquired in the past (preceding packet). The evaluated value acquisitionunit 252 acquires and assigns a grade Gr(Pn−m) previously defined forthe communication pattern in question (Pn−m), to the communicationdetected in the past. Thereupon, the processing advances to step S111.

In step S111 and step S112, if a grade correction condition is set forthe communication pattern corresponding to the input packet, then it isdetermined whether or not a communication corresponding to the gradecorrection condition has been acquired in the past. If a gradecorrection condition has not been set, then the processing advances tostep S114. Here, a grade correction condition is a condition fordetermining whether or not a grade Gr(Pn−m) set previously for thecommunication pattern (Pn−m) determined to correspond to the inputpacket in step S101 should be corrected to a higher value. Thecorrection unit 253 determines whether or not a communicationcorresponding to a grade correction condition has been detected in thepast in respect of the terminal relating to the input packet. If it isdetermined that the grade correction condition is not satisfied, thengrade correction is not carried out and the processing advances to stepS114. On the other hand, if it is determined that the grade correctioncondition is satisfied, then the processing advances to step S113.

In step S113, grade correction is carried out. The correction unit 253corrects the grade Gr(h,Pn−m) assigned in step S107, in accordance withthe correction value set in advance in respect of the grade correctioncondition which is determined to have been satisfied in step S112. Forexample, if the correction value is 1.5, then the value of the gradeGr(h, Pn−m) is multiplied by 1.5 times. Thereupon, the processingadvances to step S114.

In step S114, it is determined whether or not the input packetcorresponds to the grade correction condition of a communication patterndetected in the past. In other words, in step S114, at the current time,which corresponds to the future from the viewpoint of a communicationacquired in the past (preceding packet), it is determined whether or nota communication (input packet) corresponding to the grade correctioncondition has been detected. The correction unit 253 determines whetheror not a communication pattern has been detected in the past, for whichthe communication pattern of the input packet has been set as a gradecorrection condition. As a result of this determination, if acommunication pattern having the communication pattern relating to theinput packet as a grade correction condition has not been detected inthe past, then the processing advances to step S117. On the other hand,if, as a result of this determination, a communication pattern havingthe communication pattern relating to the input packet as a gradecorrection condition has been detected in the past, then the processingadvances to step S116.

In step S116, grade correction relating to a past communication(preceding packet) is carried out. The correction unit 253 corrects thegrade assigned to the terminal relating to the communication patterndetected in the past, by the correction value defined in advance inrelation to the grade correction condition. For example, if thecorrection value is 1.5, then the grade is multiplied by 1.5 times.Thereupon, the processing advances to step S117.

In step S117 to step S120, a maximum grade updating process is carriedout for each phase. Firstly, the network monitoring apparatus 20acquires the maximum grade (the value after correction in the case of agrade which is corrected), which is held for each detection phase (P1 toP8) in the terminal relating to the input packet, from the grademanagement table (step S117), and determines whether or not the maximumgrade has been updated, for each phase, by comparing the maximum gradewith the grade specified by the specification unit 254 as a result ofthe processing from step S101 to step S116 (step S118). Here, if it isdetermined that the maximum grade has not been updated, then theprocessing advances to step S121. On the other hand, if it is determinedthat the maximum grade has been updated, then the holding unit 255 usesthe newly assigned grade to update the maximum grade recorded in thegrade management table, and saves this maximum grade (step S120). Duringthis process, an audit log is kept (step S119). Thereupon, theprocessing advances to step S121.

In step S121, the possibility of malware activity in the terminal iscalculated. The totalizing unit 256 totalizes the maximum grade whichhas been determined for each phase in the terminal h, and thedetermination unit 257 calculates the possibility of malware activityIR(h) in the terminal h, by multiplying by a malware activitycoefficient. The specific calculation method is as described above inthe explanation relating to the totalizing unit 256 and thedetermination unit 257. Thereupon, the processing advances to step S122.

In step S122 and step S123, the presence or absence of a malwareinfection in the object node 90 is determined. The determination unit257 determines whether or not the possibility of malware activity IR(h)calculated in step S121 exceeds a prescribed threshold vale (step S122).Here, if it is determined that the possibility of malware activity IR(h)has exceeded a threshold value, then the network monitoring apparatus 20implements the prescribed countermeasure for when a malware infection isdetected. Examples of the countermeasure for when a malware infection isdetected include: starting blocking of the communication at the node 90by the communication blocking unit 22, and issuing an alert (warning)indicating that the node 90 in question is infected with malware. On theother hand, if it is determined that the possibility of malware activityIR(h) has not exceeded the threshold value, then the countermeasure forwhen a malware information has been detected, such as blocking of thecommunication or issuing a warning, etc. is not implemented.Subsequently, the processing indicated in the flowchart is terminated.

The network monitoring apparatus 20, for example, can block thecommunication by the node 90 by using, for example, a method whichdiscards communication data acquired from an L2/L3 switch, a methodwhich disconnects the ports of an L2/L3 switch, a method for deriving apacket transmission destination due to ARP impersonation in respect ofthe node 90, a method for instructing the router 10 to discard acommunication relating to the node 90, or a method for changing andseparating the VLAN to which the node 90 belongs. Furthermore, if thenetwork monitoring apparatus 20 is installed (incorporated) into therouter 10, then it is also possible to directly block communicationwhich is sent or received by the node 90. Moreover, the networkmonitoring apparatus 20 can issue an alert by using a method for sendinga notification packet or e-mail, etc. to the management server, the node90, or a previously established administrator terminal, or the like, or,for example, a method for displaying a warning via a display apparatus(display monitor, LED, etc.) which is provided in the actual networkmonitoring apparatus 20.

<Example of Correlation Analysis>

Below, an example of a correlation analysis will be described. However,the correlation analysis is not limited to the example indicated in thepresent embodiment, provided that it is possible to analyze whether ornot a plurality of communications performed by a terminal have acorrelation from the viewpoint of phase transitions which accompanymalware activity.

(1) First Correlation Analysis

The communication pattern determination process (see step S006) is basedon previously defined “communication patterns”. Therefore, by thisprocess alone, it is not possible to detect malware which is carryingout communications which do not match the communication patterns.Consequently, in the present embodiment, the first correlation analysis(see step S007) is carried out.

FIG. 9 is a diagram showing the phases in the activity transition modeland the transitions therebetween, which are the object of monitoring inthe first correlation analysis in the present embodiment. In general,malware transfers to the exploration and infection phase P2, theinfection and invasion phase P3, the execution file download phase P4 orthe attack activity phase P8, in accordance with a command from the C&Cserver. Furthermore, the time from receiving the command from the C&Cserver until transferring to the exploration phase P2, the infection andinvasion phase P3, the execution file download phase P4 or attackactivity phase P8 is generally extremely short (within one second). Inthe first correlation analysis, these characteristics are utilized, andwhen the terminal (h) has transferred to the exploration phase P2,infection and invasion phase P3, execution file download phase P4 orattack activity phase P8, the communication triggering this transfer isregarded provisionally as a C&C communication, and the terminal relatingto the communication in question is registered in the C&C servercandidate list. After registration in the C&C server candidate list, theprocessing for identifying malware information is performed in line withthe malware detection method described above.

(1.1) Preparation (Gathering Evaluation Information)

In the first correlation analysis, when activity in the explorationphase P2, the infection and invasion phase P3, the execution filedownload phase P4 or the attack activity phase P8 of the activitytransition model is observed (a communication pattern is detected), thecommunication triggering this activity is analyzed, and if prescribedconditions are satisfied, the transmission source of the communicationtriggering the activity (the connection destination as viewed from theterminal (h)) is registered in the list as a C&C server candidate.Below, the method of gathering information and the recorded contentsused in the first correlation analysis will be described. The processingdescribed below is executed each time a packet sent by a terminal thatis the object of monitoring is detected. Furthermore, this preparation(evaluation information gathering) process is carried out aftercompletion of the communication pattern determination process (see stepS006).

(1.1.1) Analysis

If the packet is analyzed and the conditions described below aresatisfied, then the procedure advances to the packet waiting step in(1.1.2). If these conditions are not satisfied, the procedure waits fora packet, without taking any action.

-   -   The packet is any one of an HTTP GET, POST, PUT, or CONNECT        request sent by the terminal (h); and    -   The GET request is not a file download request; and    -   The value of the User-Agent header does not start with        “Mozilla”, or there is no User-Agent header.

The condition relating to the User-Agent described above means that onlyan HTTP request sent by an application other than a Web browser is theobject of evaluation. (Impersonation) Since web browser communicationsare the object of evaluation in the communication pattern determinationprocess, then only non-web browser communications are the object in thefirst correlation analysis. If the conditions described above aresatisfied, then the following information is recorded in the terminal(h) management table.

-   -   Method type (any one of GET, POST, PUT, CONNECT)    -   User-Agent header value (text string). “NULL” if there is no        User-Agent header    -   Host header value (FQDN or IP address)

(1.1.2) Waiting for Packet

Here, the procedure waits for the subsequent packet. When a packet isreceived, the following processes are carried out.

-   -   If the packet is a new HTTP request sent by a terminal (h) which        satisfies the condition (1.1.1), then the processing returns to        the analysis in (1.1.1). In the HTTP request and the response,        only the time stamp of the latest data is required, but since        there is a possibility of packet loss, a time stamp may be        recorded every time an HTTP response is received, and the time        stamp may be overwritten when a subsequent response is received.    -   If the packet is a response to an HTTP request sent by the        terminal (h) in (1.1.1), and the size of the body part of the        HTTP response is zero, then the processing transfers to (1.1.1).        This is because if the size of the body part of the HTTP        response is zero, then this means that the response does not        contain command information from the C&C server.    -   The packet is a response to an HTTP request sent by the        terminal (h) in (1.1.1). Furthermore, if the size of the body        part of the HTTP response is not zero, then the contents        indicated below are recorded and the processing transfers to        (1.1.3).    -   The detection (reception) time of the HTTP response packet (time        stamp: milliseconds) is recorded. Hereinafter, this time stamp        is expressed as “TimeStamp(C)”. Here, only the time stamp of the        latest HTTP response data is required, but since there is a        possibility of packet loss, a time stamp is recorded when all        HTTP responses are received, and the time stamp is overwritten        when a subsequent response is received.

(1.1.3) Determination

Here, the following determination and processing is carried out.

-   -   If the packet processed in (1.1.2) is not the final data of an        HTTP response, then the malware behavior detection engine 25        halts at (1.1.2) and waits for the subsequent response.    -   If the packet processed in (1.1.2) is the final data of an HTTP        response, then the malware behavior detection engine 25 returns        to the analysis in (1.1.1) and waits for a new HTTP response.

(1.2) Contents of Processing Upon Transition to Exploration Phase P2

The malware behavior detection engine 25 carries out the followingprocessing successively, and if the conditions are satisfied, registersthe terminal relating to the packet recorded in “Preparation (gatheringevaluation information)”, in the C&C server candidate list.

-   -   Recognize activity in exploration phase P2 (matches        “communication pattern of exploration phase P2”), and    -   The time of transition to exploration phase P2 (time stamp:        TimeStamp (P2)) and the recorded TimeStamp(C) satisfy the        following condition.

TimeStamp(C)+500 ms>TimeStamp(P2)

The malware behavior detection engine 25 applies the grade (Gr)=0.3 to acommunication (input packet) recorded in “Preparation (Gatheringevaluation information)” which satisfies the aforementioned condition.This grade is compared with the recorded grade (PGr) of the C&Ccommunication phase, and the larger of these grades is re-recorded asthe grade (PGr) of the C&C communication phase. The TimeStamp(P2) isrecorded in the communication pattern determination process, when the“communication pattern of the exploration phase P2” is detected. TheTimeStamp(P2) is measured only in respect of communication patternswhich correspond to “suspicious connection attempt” in the explorationphase. Furthermore, the observation time of the communication pattern isthe time at which a communication pattern corresponding to “suspiciousconnection attempt” is detected.

(1.3) Contents of Processing Upon Transition to Execution File DownloadPhase P4

The malware behavior detection engine 25 carries out the followingprocessing successively, and if the conditions are satisfied, registersthe terminal relating to the packet recorded in “Preparation (gatheringevaluation information)”, in the C&C server candidate list.

-   -   Recognize activity in execution file download phase P4 (matches        communication pattern of “execution file download phase P4”),        and    -   The time of transition to execution file download phase P4 (time        stamp: TimeStamp (P4)) and the recorded TimeStamp(C) satisfy the        following condition.

TimeStamp(C)+500 ms>TimeStamp(P4)

The malware behavior detection engine 25 applies the grade (Gr)=0.3 to acommunication recorded in “Preparation (Gathering evaluationinformation)” which satisfies the aforementioned condition. This gradeis compared with the recorded grade (PGr) of the C&C communicationphase, and the larger of these grades is re-recorded as the grade (PGr)of the C&C communication phase. The TimeStamp(P4) is recorded in thecommunication pattern determination process, when the “communicationpattern of the execution file download phase P4” is detected. TheTimeStamp(P4) is not the time of the start of the HTTP GET request, FTPdownload or TFTP download, but rather the time at which file download iscompleted (or the time of the last packet of the response in the case ofHTTP GET). Since packet loss occurs, TimeStamp(P4) may be updated eachtime an individual packet of an HTTP GET response or an FTP/TFTPdownload packet is detected.

(1.4) Contents of Processing Upon Transition to Attack Phase P8

The malware behavior detection engine 25 carries out the followingprocessing successively, and if the conditions are satisfied, registersthe terminal relating to the packet recorded in “Preparation (gatheringevaluation information)”, in the C&C server candidate list.

-   -   Recognized as activity of the attack phase P8 (matches the        “communication pattern of attack phase P8”), and    -   The time of transition to attack phase P8 (time stamp TimeStamp        (P8)) and the recorded TimeStamp(C) satisfy the following        condition.

TimeStamp(C)+500 ms>TimeStamp(P8)

The malware behavior detection engine 25 applies the grade (Gr)=0.3 to acommunication recorded in “Preparation (Gathering evaluationinformation)” which satisfies the aforementioned condition. This gradeis compared with the recorded grade (PGr) of the C&C communicationphase, and the larger of these grades is re-recorded as the grade (PGr)of the C&C communication phase. The TimeStamp(P8) is recorded in thecommunication pattern determination process, when the “communicationpattern of the attack phase P8” is detected. The TimeStamp(P8) is notthe time at which an attack activity is recognized (ultimately from aplurality of packets), but rather the time at which the first packet ofan attack communication pattern is detected.

(2) Second Correlation Analysis

Malware progressively deepens activity as it transfers through thephases of the malware activity transition model. Consequently, if theactivity (communication) in the phases immediately after transition hasa high possibility of being triggered by the activity (communication) inthe phase one before (in other words, if there is a correlation betweenthe phases before and after transition), then it is determined that theterminal in question has a high probability of being infected withmalware. A method can be envisaged in which the trigger is determinedfrom the data contents included in the communication pattern (forexample, the contents of an instruction from a C&C server), but thereare many types of malware which encrypts or obfuscates the data part,and real-time analysis and determination are difficult to achieve.Therefore, in the present embodiment, the second correlation analysis(see step S008) is carried out based on the time required to transferphase (the time from detecting the communication pattern Pr-s untildetecting the communication pattern Pm−n), the terminal (h) of thecommunication destination (call-back communication), the correlation anddegree of match between the behavior of a plurality of terminals havinga high possibility of malware infection, and information such as thetype of file handled, etc. If, as a result of this analysis, it has beenpossible to detect that the communication is one having a high suspicionof malware behavior, then the grade Gr(Pm−n) of the communicationpattern Pm−n corresponding to this communication is corrected(multiplied by a malware behavior similarity coefficient θ), to assign ahigher grade.

Below, the details of the analysis performed in communication patterncorrelation analysis will be described. If the sequence of transitionsbetween phases does not match, or if the phase transitions match but adifferent phase is inserted between, then the pattern is not regarded asan object for analysis, and correlation analysis is not carried out.Furthermore, the malware behavior detection engine 25 does not set allphase transitions as an object for correlation analysis. The malwarebehavior detection engine 25 sets, as an object for correlationanalysis, the following phase transitions in which a marked correlationwith malware behavior is observed. From FIG. 10 to FIG. 15, the solidarrows indicate a transition that is an analysis object and the dottedarrows indicate a transition that is not an analysis object.

(2.1) Contents of Processing Upon Transition to Exploration Phase P2

FIG. 10 is a diagram showing a transition to an exploration phase P2,which is the object of monitoring in the second correlation analysis inthe present embodiment. The malware behavior detection engine 25 carriesout the following analysis if the terminal (h) has transferred to theexploration phase P2 in the “malware activity phase determination”processing block, and if applicable, corrects the grade for thecommunication pattern.

(2.1.1) Transition from C&C Communication Phase P6 to Attack Phase P2

if {condition A=TRUE} then {Gr(h,P2−m)=θ·Gr(h, P2−m)} (θ=1.2)

-   -   Condition A: A data communication is observed in any of the C&C        servers registered in the C&C server candidate list of the        terminal (h) (reception of data (a command) of any kind from a        C&C server), and the communication pattern P2−m of the        exploration phase is then observed in the terminal (h) within        N(a) seconds.

Here, the time of receiving the data (command) from the C&C server istaken to be the timing at which the following packets are observed.

-   -   If the C&C is an HTTP type, then the reception time of the        (final) data of the HTTP response not having zero data length        (body part size) which corresponds to an HTTP GET/POST/PUT        request    -   If the C&C is HTTPS (direct or CONNECT) or an independent        protocol type, then the reception time of the (final) TCP data        which does not have a data length of zero, corresponding to the        data packet sent by the terminal (h), on the TCP connection    -   If the C&C is an IRC type, then the reception time of the final        data of the IRC message which does not have a data length of        zero, from the C&C server

Here, the communication pattern P2−m of the exploration and infectionphase is only applied to a communication pattern which corresponds to a“suspicious connection attempt”. Furthermore, the observation time ofthe communication pattern is the time at which a communication patterncorresponding to “suspicious connection attempt” is detected.

(2.2) Contents of Analysis Upon Transition to Execution File DownloadPhase P4

FIG. 11 is a diagram showing a transition to the execution file downloadphase P4, which is the object of monitoring in the second correlationanalysis in the present embodiment. The malware behavior detectionengine 25 carries out the following analysis if the terminal (h) hastransferred to the execution file download phase P4 in the “malwareactivity phase determination” processing block, and if applicable,corrects the grade for the communication pattern.

(2.2.1) Transition from Exploration Phase P2 to Execution File DownloadPhase P4

if {condition A=TRUE} then {Gr(h,P4−m)=θ·Gr(h, P4−m)} (θ=1.5)if {condition B=TRUE} then {Gr(h,P4−m) θ·Gr(h, P4−m)} (θ=1.3)

-   -   Condition A The execution file download communication pattern        P4−m is observed in the terminal (h), and the connection        destination of P4−m (destination IP/FQDN) matches an infecting        terminal (k).    -   Condition B: The execution file download communication pattern        P4−m is observed in the terminal (h), and the connection        destination of P4−m (destination IP/FQDN) matches any one of the        servers registered in the malware delivery server candidate        list.

Since the download of an execution file is not always carried out withina prescribed time after malware infection (download may occur 10 secondsafter, or 3 days after, for instance), then a time-related condition isnot applied in the transition from phase P2 to phase P4.

(2.2.2) Transition from C&C Communication Phase P6 to Execution FileDownload Phase P4

if {condition C=TRUE} then {Gr(h,P4−m)=θ·Gr(h, P4−m)} (θ=1.2)if {condition D=TRUE} then {Gr(h,P4−m)=θ·Gr(h, P4−m)} (θ=1.5)

-   -   Condition C: A data communication is observed in any of the C&C        servers registered in the C&C server candidate list of the        terminal (h) (reception of data of any kind from a C&C server),        and the communication pattern P4−m of the execution file        download phase is then observed in the terminal (h) within N(b)        seconds.    -   Condition D: Condition C, and the connection destination        (destination IP/FQDN) of P4−m matches any one of the servers        registered in the malware delivery server candidate list.

For the time at which data (a command) is received from the C&C server,see “(2.1) Contents of analysis upon transition to exploration phaseP2”. The observation time of the communication pattern P4−m of theexecution file download phase is not the time of the start of the HTTPGET request, FTP download or TFTP download, but rather the time at whichfile download is completed (or the time of the last packet of theresponse in the case of HTTP GET). Since packet loss occurs, the timemay be updated each time an individual packet of an HTTP GET response oran FTP/TFTP download packet is detected.

(2.2.3) Transition from Infiltration Phase P1 to Execution File DownloadPhase P4

In the “malware activity phase determination” processing block, when theterminal (h) transitions to the execution file download phase P4, thecorrelation analysis described below is carried out, and if it isdetermined that there is a correlation, the grade of the activecommunication pattern is corrected and it is determined that theterminal is infected with malware (is receiving a Drive-by Downloadattack) (see FIG. 5 to FIG. 8). The presence or absence of a correlationis determined on the basis of the continuity and relationship betweenthe communication P1-n which is mapped to the infiltration phase P1, andthe communication P4−m which is mapped to the execution file downloadphase P4. Here, the continuity is determined on the basis of theidentity of the connection, the proximity of the detection time, and thepresence/absence of other packets detected between the two communicationpatterns P1-n and P4−m, etc., and the relationship is determined on thebasis of the destination server address and the commonality of thedestination server information, etc.

FIG. 12 is a flowchart showing a flow of correlation analysis fordetermining a correlation between a communication relating to theinfiltration phase P1 and a communication relating to the execution filedownload phase P4. The processing shown in this flowchart corresponds tothe processing of the malware behavior detection engine from step S111to step S116 as explained using FIG. 6 and FIG. 7, and is executed inorder to detect that a Drive-by Download attack has been made in theterminal in question, if a communication mapped to the infiltrationphase P1 or a communication mapped to the execution file download phaseP4 is detected.

In step S701 to step S703, it is determined whether or not correlationconditions 1 to 3 are satisfied. If none of the correlation conditions 1to 3 is satisfied, then the processing shown in the flowchart isterminated. On the other hand, if any one of the correlation conditions1 to 3 is satisfied, then the processing advances to step S704. Thecorrelation conditions 1 to 3 are as indicated below.

Correlation condition 1 After detection of communication pattern P1−m(m=1 to 5) in terminal (h), the communication pattern P4-n (n=1 to 4) isdetected on the same TCP connection as the detected P1−m.

if condition=TRUE) then PGr(h,P1)=0.3if (condition=TRUE) then Gr(h,P4-1 to P4-4)=θ·Gr(h, P4-1 to P4-4)(θ=2.0)

Correlation condition 2 Immediately after detection of communicationpattern P1−m (m=1 to 5) in terminal (h), the communication pattern P4-n(n=1 to 4) having the same FQDN/IP address as P1−m is detected. The TCPconnections of P1−m and P4-n are different.

if (condition=TRUE) then PGr(h,P1)=0.3if (condition=TRUE) then Gr(h,P4-1 to P4-4)=θ·Gr(h, P4-1 to P4-4)(θ=2.0)

Correlation condition 3: Immediately after detection of P1−m (m=1 to 5)in terminal (h), a normal GET request having the same FQDN/IP address asthe detected P1−m and set to an IE or Java User-Agent header value isdetected, and this GET request is a single unique GET request andimmediately after the normal GET request (& response) described above, acommunication pattern P4-n (n=1 to 4) having the same FQDN/IP address asthe detected P1−m (m=1 to 5) is detected. The TCP connections of P1−mand P4-n are different.

if (condition=TRUE) then PGr(h,P1)=0.3if (condition=TRUE) then Gr(h,P4-1 to P4-4)=θ·Gr(h, P4-1 to P4-4)(θ=2.0)

In step S704, the grades of phase P1 and phase P4−m are corrected. Thecorrection unit 253 makes this correction by, for example, setting thegrade of phase P1 to 0.3 and multiplying the grade of phase P4−m by 2.0.Thereupon, the processing shown in this flowchart is terminated, andfinally, the presence or absence of malware infection (Drive-by Downloadattack) is determined by comparison with a threshold value (see theprocessing shown in FIG. 8).

(2.3) Contents of Analysis Upon Transition to C&C Exploration Phase P5

FIG. 13 is a diagram showing a transition to the C&C exploration phaseP5, which is the object of monitoring in the second correlation analysisaccording to the present embodiment. The malware behavior detectionengine 25 carries out the following analysis if the terminal (h) hastransferred to the C&C exploration phase P5 in the “malware activityphase determination” processing block, and if applicable, corrects thegrade for the communication pattern.

(2.3.1) Transfer from Exploration Phase P2 to C&C Exploration Phase P5

if {condition A=TRUE} then {Gr(h,P5−m)=θ·Gr(h, P5−m)} (θ=1.2)

-   -   Condition A: Infection activity is observed in the terminal (h)        on the (infected side) (in the connection destination terminal        in the communication pattern P2-9 or P2-10), and the        communication pattern P5−m of the C&C exploration phase is then        observed in the terminal (h) within N(c) seconds.

(2.3.2) Transition from C&C Communication Phase P6 to C&C ExplorationPhase P5

if {condition B=TRUE} then {Gr(h,P5−m)=θ·Gr(h, P5−m)} (θ=1.3)

-   -   Condition B: The terminal (h) repeats transition from the C&C        communication phase P6 to the C&C exploration phase P5 (the        communication pattern P5−m of the C&C exploration phase P5 is        detected) at a predetermined cycle (time interval).

In the present embodiment, if the past three transitions have occurredat substantially the same cycle (time interval), then it is determinedthat transfer to the C&C exploration phase P5 has been repeated at apredetermined cycle.

(2.4) Contents of Analysis Upon Transfer to C&C Communication Phase P6

FIG. 14 is a diagram showing a transition to the C&C communication phaseP6, which is the object of monitoring in the second correlation analysisin the present embodiment. The malware behavior detection engine 25carries out the following analysis if the terminal (h) has transferredto the C&C communication phase P6 in the “malware activity phasedetermination” processing block, and if applicable, corrects the gradefor the communication pattern.

(2.4.1) Transition from Exploration Phase P2 to C&C Communication PhaseP6

if {condition A=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.1)if {condition B=TRUE} then {Gr(h, P6−m) θ·Gr (h, P6−m)} (θ=1.2)if {condition C=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.5)

-   -   Condition A: Infection activity is observed in the terminal (h)        (in the infected terminal in the communication pattern P2-9 or        P2-10), and the communication pattern P6−m of the C&C        communication phase P6 is then observed in the terminal (h)        within N(d) seconds.    -   Condition B: Condition A, and the connection destination        (destination IP/FQDN) of P6−m matches any one of the C&C servers        registered in the C&C server candidate list (of any terminal        that is the object of monitoring).    -   Condition C: Condition A, and the connection destination        (destination IP/FQDN) of P6−m matches any one of the C&C servers        registered in the C&C server candidate list of an infecting        terminal (k).

(2.4.2) Transition from Execution File Download Phase P4 to C&CCommunication Phase P6

if {condition D=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (—0=1.1)if {condition E=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.2)if {condition F=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.3)

-   -   Condition D: An execution file download communication pattern        P4−m is observed in the terminal (h), and the communication        pattern P6−m of the C&C communication phase is then observed in        the terminal (h) within N(e) seconds.    -   Condition E: Condition D, and the connection destination        (destination IP/FQDN) of P6−m matches any one of the C&C servers        registered in the C&C server candidate list (of any terminal        that is the object of monitoring).    -   Condition F: Condition D, and the connection destination        (destination IP/FQDN) of P6−m matches any one of the C&C servers        already registered in the C&C server candidate list of the        terminal (h).

(2.4.3) Transfer from C&C Exploration Phase P5 to C&C CommunicationPhase P6

if {condition G=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.2)

-   -   Condition G: If the communication pattern P5−m of the C&C        exploration phase is observed in the terminal (h), and within        N(f) seconds, the communication pattern P6−m of the C&C        communication phase is observed in the terminal (h), and the        connection destination (destination IP/FQDN) in P6−m is any one        of the C&C servers registered in the C&C server candidate list        (or any of the terminals that are the object of monitoring).

(2.5) Contents of Analysis Upon Transfer to Attack Phase P8

FIG. 15 is a diagram showing a transition to an attack phase P8, whichis the object of monitoring in the second correlation analysis in thepresent embodiment. The malware behavior detection engine 25 carries outthe following analysis if the terminal (h) has transferred to the C&Ccommunication phase P6 in the “malware activity phase determination”processing block, and if applicable, corrects the grade for thecommunication pattern.

(2.5.1) Transition from Execution File Download Phase P4 to Attack PhaseP8

if {condition A=TRUE} then {Gr(h,P8−m)=θ·Gr(h, P8−m)} (θ=1.2)

-   -   Condition A: The execution file download communication pattern        P4−m is observed in the terminal (h), and the attack phase        communication pattern P8−m is then observed in the terminal (h)        within N(g) seconds.

(2.5.2) Transition from C&C Communication Phase P6 to Attack Phase P8

if {condition B=TRUE} then {Gr(h,P8−m) θ·Gr(h, P8−m)} (θ=1.2)if {condition C=TRUE} then {Gr(h,P8−m)=θ·Gr(h, P8−m)} (θ=1.5)

-   -   Condition B: A data communication is observed in any of the C&C        servers registered in the C&C server candidate list of the        terminal (h) (reception of data (a command) of any kind from a        C&C server), and the attack phase communication pattern P8−m is        then observed in the terminal (h) within N(h) seconds.    -   Condition C: Two or more terminals satisfying condition B are        detected. (The detection does not have to occur simultaneously.)

(3) Correlation Analysis for Role Estimation

In an attack method used in a targeted attack, in order to delay thediscovery of attack activity in an organization, there has been atendency to reduce, as far as possible, the amount of communication froman infected terminal in the organization to an external terminal managedby the attacker. Here, in order to reduce the amount of communicationwith an external terminal, the number of infected terminals inside theorganization which perform communication with an external terminal isrestricted, and the infected terminals are assigned roles and aremanaged. For example, the roles given to infected terminals are the fourfollowing roles. One infected terminal may also have a plurality ofroles.

1. Role of exploration/infection/espionage activities with the object ofexpanding infection of the malware within the organization2. Role of downloading a file from an external terminal managed by theattacker, into the organization, positioning the file within ownterminal, and redistributing3. Role of relaying C&C communication from an external terminal managedby the attacker4. Role of collecting result information of espionage activities withinthe organization and updating the information to the external terminalmanaged by the attacker

In order to investigate the behavior of this kind of an infectedterminal, conventionally, it has been proposed that malware activity isdetected by analyzing the type of software running on a terminal, andthe contents of the processing performed in the terminal, by agent-typemonitoring software which runs on the terminal. However, withconventional methods, since the communication log, communication captureinformation, the malware in itself, or the like, is analyzed afterdetecting an infected terminal, then it takes a long time from thedetection of the infected terminal until identification of the activityand role of the malware.

As described above, there are cases where the attacker seeks to reducethe amount of communication between an infected terminal and an externalterminal in order to delay the discovery of an attack, and for thispurpose, provides a proxy infected terminal which performs communicationwith an external terminal managed by the attacker within theorganization, instead of another infected terminal. In this case, thecommunication between the external terminal and the proxy infectedterminal, and the communication between the proxy infected terminal andthe infected terminal are communications in the same phase.

Therefore, in the present embodiment, by analyzing the correlationbetween communications in the same phase performed by differentterminals, an infected terminal within an organization, and an infectedterminal having a role of performing, by proxy, communication with anexternal terminal managed by an attacker, and the like, are discoveredand the roles of the terminals are estimated.

The contents of the correlation analysis between communications bydifferent terminals is described below. If the sequence of transitionsbetween phases does not match, or if the phase transitions match but adifferent phase is inserted therebetween, then the communication may beomitted as an object for analysis. Furthermore, the malware behaviordetection engine 25 sets, as an object for correlation analysis, phasetransitions in which a correlation with malware behavior is observed.

FIG. 16 is a flowchart showing a flow of a third correlation analysisprocess performed by the malware behavior detection engine 25 relatingto the present embodiment. The third correlation analysis processaccording to the present embodiment is executed when a packet flowingover the network (or data consisting of a plurality of packets) isacquired by the network monitoring apparatus 20, and a prescribedcommunication pattern is then detected by the communication patterndetermination process described above (step S006 in FIG. 5 and step S101to step S103 in FIG. 6).

Here, the prescribed communication pattern in the present embodiment isone of the four communication patterns indicated below.

1. Communication pattern P3−m in which there is possibility that aninjection/invasion action has been carried out;2. Communication pattern P4−m in which there is a possibility that anexecution file has been transmitted;3. Communication pattern P6−m in which there is a possibility that C&Ccommunication has been carried out; and4. Communication pattern P7−m in which there is a possibility thatexploited information has been uploaded.

Although there is a possibility that communication based on malware isencrypted, the malware behavior detection engine according to thepresent embodiment detects a communication for uploading information onthe basis of a communication pattern, and therefore it is possible todetect which phase the communication in question belongs to, even if thecommunication is encrypted.

In step S201, a role estimation correlation analysis processcorresponding to the detected communication pattern is executed. Themalware behavior detection engine executes the corresponding roleestimation correlation analysis process in accordance with thecommunication pattern detected in the communication patterndetermination process described above (corresponding to step S006 inFIG. 5, and step S101 to step S103 in FIG. 6). More specifically,

1. When the communication pattern P3−m in which there is a possibilitythat an infection/invasion action has been carried out is detected, arole estimation correlation process for the infection/invasion phase P3is executed;2. When the communication pattern P4−m in which there is a possibilitythat an execution file has been transmitted is detected, a roleestimation correlation analysis process for the execution file downloadphase P4 is executed;3. When the communication pattern P6−m in which there is a possibilitythat C&C communication is being carried out is detected, a roleestimation correlation analysis process for the C&C communication phaseP6 is executed;4. When a communication pattern P7−m in which there is a possibilitythat exploited information has been uploaded is detected, a roleestimation analysis process for the exploited information upload phaseP7 is executed.

The details of the analysis correlation processes between respectiveterminals are described below. Thereupon, the processing advances tostep S202.

In step S202, a countermeasure such as blocking of the terminal and/orissuing of an administrator alert, is carried out in accordance with theresult of the role estimation correlation analysis. In the roleestimation correlation analyses described above, if any of the nodes 90is inferred to have any role involved in malware activity, the networkmonitoring apparatus 20 performs a prescribed countermeasure for when amalware infection is detected. Examples of the countermeasure for when amalware infection is detected include: starting blocking of thecommunication at the node 90 by the communication blocking unit 22, andissuing an alert (warning) indicating that the node 90 in question isinfected with malware. By enabling an administrator to ascertaininformation of this kind, an administrator is able to ascertain whatterminals having what roles are present on the network in theorganization, and to ascertain a situation in which expansion of malwareinfection and/or attack activity has occurred, and promote suitablecountermeasures. In the role estimation correlation analyses describedabove, if none of the nodes 90 is inferred to have a role in malwareactivity, then a countermeasure for when a malware information isdetected, such as blocking and/or issuing an alert, is not carried out.The concrete method of blocking communication and/or issuing an alert bythe network monitoring apparatus 20 is indicated as an example in thedescription in step S123, etc. Subsequently, the processing indicated inthe flowchart is terminated.

Next, the specific contents of each of the role estimation correctionanalyses is described.

(3.1) Role Estimation Correction Analysis for Infection and InvasionPhase P3

FIG. 17 is a flowchart showing a flow of a role estimation correlationanalysis process for the infection and invasion phase P3 relating to thepresent embodiment. The flowchart gives a more detailed description ofthe processing when the role estimation correlation analysis process ofthe infection and invasion phase P3 is called up in step S201 of thethird correlation analysis process described with reference to FIG. 16,because a communication pattern is detected in which there is apossibility that an infection and invasion action has been carried out.Furthermore, FIG. 18 is a diagram showing an aspect of the activity of aterminal of which the role is estimated by the role estimationcorrelation analysis process for the infection and invasion phase P3,according to the present embodiment.

In step S301, the infection source terminal information and theinfection destination terminal information are recorded. The malwarebehavior detection engine 25, when a communication pattern is detectedin which there is a possibility that an infection and invasion actionhas been carried out, records the terminal information of the terminalsrelating to the communication in question, in other words, the infectionsource terminal information and infection destination terminalinformation, in the storage apparatus 14 a. For instance, when acommunication pattern is detected in which there is a possibility thatan injection and invasion action has been carried out, from node 90 b tonode 90 c, the malware behavior detection engine 25 records the terminalinformation of node 90 b (infection source) and node 90 c (infectiondestination). The terminal information recorded here is, for example,the IP address of the terminal, etc. Thereupon, the processing advancesto step S302.

In step S302, it is determined whether or not the infection sourceterminal has received an infection/invasion from a terminal inside theorganization in the past. The correlation analysis unit 258 determineswhether or not an infection source terminal (node 90 b in the exampledescribed above) relating to a communication in the infection andinvasion phase P3 detected currently is communicating with any othernode 90 (for example, node 90 a) in the infection and invasion phase P3in which there is a possibility that a similar infection and invasionaction has been carried out, and whether or not the terminal is aninfection destination terminal. This determination is carried out byexploring the information recorded in step S301, when the processingrelating to the flowchart has been executed in the past.

In other words, when the phase P3 currently specified in relation to theinfection source terminal (node 90 b) in which a communication has beendetected is the same as the phase specified in the past in relation toany other node 90, the correlation analysis unit 258 determines whetheror not these terminals are carrying out activities cooperatively, bymaking a correlation analysis between the communication by the infectionsource terminal (node 90 b) and the communication by another terminal(node 90 a, for example). If it is determined that the infection sourceterminal has not received an infection and invasion from a terminalinside the organization, then the processing shown in this flowchart isterminated. On the other hand, if it is determined that the infectionsource terminal has received an infection and invasion from a terminalinside the organization in the past, then the processing advances tostep S303.

In step 3303, it is estimated that a terminal that is currently carryingout infection and invasion, and a terminal that has carried outinfection and invasion in the past, are terminals having an “infectionand invasion role”, and the estimation results are recorded. In stepS302, when it is determined that the infection source terminal hasreceived infection and invasion from a terminal in the organization inthe past, the role estimation unit 259 estimates that the currentinfection source terminal (node 90 b in the example described above) andthe past infection source terminal (node 90 a in the example describedabove) are operating as terminals having a malware “infection andinvasion role”, and records the terminal information of these terminals.Subsequently, the processing indicated in the flowchart is terminated.

(3.2) Role Estimation Correlation Analysis Process for Execution FileDownload Phase P4

FIG. 19 is a flowchart showing a flow of a role estimation correlationanalysis process for the execution file download phase P4 relating tothe present embodiment. The flowchart gives a more detailed descriptionof the processing when the role estimation correlation analysis processof the execution file download phase P4 is called up in step S201 of thethird correlation analysis process described with reference to FIG. 16,because a communication pattern is detected in which there is apossibility that an execution file has been transmitted. Furthermore,FIG. 20 is a diagram showing an aspect of the activity of a terminal ofwhich the role is estimated by the role estimation correlation analysisprocess for the execution file download phase P4, according to thepresent embodiment.

In step S401, the detection information of the request transmissionsource terminal and the request reception terminal is recorded. Themalware behavior detection engine 25 records the detection informationof the communication in question, in the storage apparatus 14 a, when acommunication pattern is detected in which there is a possibility thatexecution file download has been carried out. The detection informationrecorded here includes: terminal information of a terminal inferred tohave transmitted a request for download of an execution file (forexample, the IP address of node 90 c, or the like), and terminalinformation of a terminal inferred to have received the request (forexample, the IP address of node 90 b, etc.). Thereupon, the processingadvances to step S402.

In steps S402 and S403, it is determined whether or not a terminal thathas received a request is a terminal that is inside the organization andhas downloaded an execution file from a terminal outside theorganization in the past. The correlation analysis unit 258 determineswhether or not the terminal which has received a request in an executionfile download phase P4 communication that is detected currently (node 90b in the example described above) is a terminal inside the organization(step S402). There are no restrictions on the concrete method ofdetermination, but, for example, it is possible to determine whether ornot the terminal that has received a request is a terminal inside theorganization, by referring to the IP address set in the packets, and thelike. If the terminal that has received the request is not a terminalinside the organization, then the processing shown in the flowchartterminates.

If the terminal that has received a request is a terminal inside theorganization, on the other hand, then it is determined whether or notthe terminal has, in the past, performed a communication in theexecution file download phase P4 in which there is a possibility that anexecution file has been downloaded from a terminal outside theorganization (step S403). In the example described above, the requestreceiving terminal is a node 90 b and is terminal inside theorganization. This determination is carried out by exploring theinformation recorded in step S401, when the processing relating to theflowchart has been executed in the past.

In other words, when the phase P4 currently specified in relation to therequest receiving terminal (node 90 b) in which a communication has beendetected is the same as the phase specified in the past in relation to aterminal outside the organization, the correlation analysis unit 258determines whether or not these terminals are carrying out activitycooperatively, by making a correlation analysis between thecommunication by the request receiving terminal (node 90 b) and thecommunication by the terminal outside the organization. If it isdetermined that an execution file has not been downloaded from aterminal outside the organization in the past, then the processing shownin the flowchart is terminated. On the other hand, when it is determinedthat an execution file has been downloaded from the terminal outside theorganization in the past, then the processing advances to step S404. Forexample, if the node 90 b, which is the current request receivingterminal, has downloaded an execution file from any terminal outside theorganization in the past, then the determination result in this step is“YES” and the processing advances to step S404.

In step S404, it is determined whether or not there is another terminalinside the organization which has made a request for execution filedownload to the request receiving terminal. In other words, in stepS404, it is determined whether or not there is a plurality of terminalsinside the organization which have made a request for execution filedownload to the request receiving terminal. The correlation analysisunit 258 determines whether or not a terminal that has received arequest in a currently detected execution file download phase P4communication (node 90 b in the example described above) has received anexecution file download request (a communication in the execution filedownload phase P4), from a terminal in the organization (node 90 d, forexample) that is different to the terminal that sent the current request(node 90 c). This determination is carried out by exploring theinformation recorded in step S401, when the processing relating to theflowchart has been executed in the past.

In other words, if the phase P4 currently specified in relation to therequest receiving terminal (node 90 b) in which a communication has beendetected is the same as the phase specified in the past in relation tothe terminal inside the organization (node 90 d), the correlationanalysis unit 258 determines whether or not these terminals are carryingout activities cooperatively, by making a correlation analysis inrespect of these communications. When it is determined that there is noother terminal inside the organization that has made the request, thenthe processing shown in the flowchart is terminated. On the other hand,if it is determined that there is another terminal inside theorganization that has made a request, then the processing advances tostep S405.

In step S405, the terminal which has currently received a request isestimated to be a terminal having a “role of redistributing an executionfile”, and the estimation result is recorded. In step S404, when it isdetermined that there is another terminal inside the organization thathas made a request, the role estimation unit 259 estimates that therequest receiving terminal (node 90 b, for example) is a terminal thathas been given a role of distributing an execution file inside theorganization, in order to delay discovery by suppressing the amount ofcommunication with the outside of the organization. Subsequently, theprocessing indicated in the flowchart is terminated.

(3.3) Role Estimation Correlation Analysis Process for C&C CommunicationPhase P6

FIG. 21 is a flowchart showing a flow of a role estimation correlationanalysis process for the C&C communication phase P6 relating to thepresent embodiment. The flowchart gives a more detailed description ofthe processing when the role estimation correlation analysis process ofthe C&C communication phase P6 is called up in step S201 of the thirdcorrelation analysis process described with reference to FIG. 16,because a communication pattern is detected in which there is apossibility that a C&C communication has been carried out. Furthermore,FIG. 22 is a diagram showing an aspect of the activity of a terminal ofwhich the role is estimated by the role estimation correlation analysisprocess for the C&C communication phase P6, according to the presentembodiment.

In step S501, the detection information of the command transmissionsource terminal and the command receiving terminal is recorded. Themalware behavior detection engine 25 records the detection informationof the communication in question, in the storage apparatus 14 a, when acommunication pattern is detected in which there is a possibility thatC&C communication has been carried out. The detection informationrecorded here includes: terminal information of a terminal inferred tohave transmitted a C&C communication command (for example, the IPaddress of node 90 b, or the like), and terminal information of aterminal inferred to have received the command (for example, the IPaddress of node 90 c, etc.). Thereupon, the processing advances to stepS502.

In steps S502 and S503, it is determined whether or not the commandtransmission source terminal is a terminal inside the organization,which has performed communication inferred to be a C&C communicationwith a terminal outside the organization in the past. The correlationanalysis unit 258 determines whether or not the terminal which hasreceived a communication pattern in the C&C communication phase P6 thatis detected currently (node 90 b in the example described above) is aterminal inside the organization (step S502). There are no restrictionson the concrete method of determination, but, for example, it ispossible to determine whether or not the command transmission sourceterminal is a terminal inside the organization, by referring to the IPaddress set in the packets, and the like. If the terminal that hastransmitted the command is not a terminal inside the organization, thenthe processing shown in the flowchart terminates.

If the terminal that has transmitted a command is a terminal inside theorganization, on the other hand, then it is determined whether or notthe terminal has, in the past, performed a communication in the C&Ccommunication phase P6 in which there is a possibility of C&Ccommunication with a terminal outside the organization (step S503). Inthe example described above, the command transmitting terminal is node90 b and is a terminal inside the organization. This determination iscarried out by exploring the information recorded in step S501, when theprocessing relating to the flowchart has been executed in the past.

In other words, when the phase P6 currently specified in relation to thecommand transmission source terminal (node 90 b) in which acommunication has been detected is the same as the phase specified inthe past in relation to a terminal outside the organization, thecorrelation analysis unit 258 determines whether or not these terminalsare carrying out activities cooperatively, by making a correlationanalysis between the communication by the command transmission sourceterminal (node 90 b) and the communication by the terminal outside theorganization. If it is determined that the terminal has not carried outa communication that has a possibility of being a C&C communication witha terminal outside the organization, in the past, then the processingshown in the flowchart is terminated. On the other hand, when it isdetermined that the terminal has performed a communication that has apossibility of being a C&C communication with a terminal outside theorganization, in the past, then the processing advances to step S504.For example, if the node 90 b, which is the current command transmittingterminal, has performed a C&C communication with any terminal outsidethe organization in the past, then the determination result in this stepis “YES” and the processing advances to step S504.

In step S504, it is determined whether or not there is another terminalinside the organization which has performed C&C communication with thecommand transmitting terminal. In other words, in step S504, it isdetermined whether or not there is a plurality of terminals inside theorganization which have performed C&C communication with the commandtransmitting terminal. The correlation analysis unit 258 determineswhether or not the terminal which has transmitted a command in the C&Ccommunication phase P6 communication detected currently (node 90 b inthe example described above) has performed a communication which has apossibility of being a C&C communication (a communication in the C&Ccommunication phase P6), with a terminal inside the organization (forexample, node 90 d) that is different to the terminal (node 90 c) whichis the counterpart in the current C&C communication. This determinationis carried out by exploring the information recorded in step S501, whenthe processing relating to the flowchart has been executed in the past.

In other words, if the phase P6 currently specified in relation to thecommand transmitting terminal (node 90 b) in which a communication hasbeen detected is the same as the phase specified in the past in relationto the terminal inside the organization (node 90 d), the correlationanalysis unit 258 determines whether or not these terminals are carryingout activities cooperatively, by making a correlation analysis inrespect of these communications. When it is determined that there is noother terminal in the organization that has performed a C&Ccommunication, then the processing shown in the flowchart is terminated.On the other hand, if it is determined that there is another terminalinside the organization that has performed a C&C communication, then theprocessing advances to step S505.

In step S505, the terminal which has currently transmitted a command isestimated to be a terminal having a “role of relaying a C&Ccommunication”, and the estimation result is recorded. In step S504,when it is determined that there is another terminal inside theorganization that has performed a C&C communication, the role estimationunit 259 estimates that the command transmitting terminal (node 90 b,for example) is a terminal that has been given a role of relaying a C&Ccommunication from a C&C server outside the organization, and recordsthe terminal information of these terminals. Subsequently, theprocessing indicated in the flowchart is terminated.

(3.4) Role Estimation Correlation Analysis Process for ExploitedInformation Upload Phase P7

FIG. 23 is a flowchart showing a flow of a role estimation correlationanalysis process for the exploited information upload phase P7 relatingto the present embodiment. The flowchart gives a more detaileddescription of the processing when the role estimation correlationanalysis process of the exploited information upload phase P7 is calledup in step S201 of the third correlation analysis process described withreference to FIG. 16, because a communication pattern is detected inwhich there is a possibility that exploited information has beenuploaded. Furthermore, FIG. 24 is a diagram showing an aspect of theactivity of a terminal of which the role is estimated by the roleestimation correlation analysis process for the exploited informationphase P7, according to the present embodiment.

In step S601, the detection information of the information upload sourceterminal and the upload destination terminal are recorded. The malwarebehavior detection engine 25 records the detection information of thecommunication in question, in the storage apparatus 14 a, when acommunication pattern is detected in which there is a possibility thatupload of exploited information has been carried out. The detectioninformation recorded here includes: terminal information of a terminalinferred to have uploaded exploited information (for example, the IPaddress of node 90 b, or the like), and terminal information of aterminal inferred to have received the upload of exploited information(for example, the IP address of a server outside the organization,etc.). Thereupon, the processing advances to step S602.

In step S602, it is determined whether or not the upload destinationterminal is a terminal outside the organization. The correlationanalysis unit 258 determines whether or not the terminal which hasreceived upload of information in the currently detected communicationpattern (a server outside the organization in the example describedabove) is a terminal outside the organization. There are no restrictionson the concrete method of determination, but, for example, it ispossible to determine whether or not the terminal that has received theupload of information is a terminal outside the organization, byreferring to the IP address set in the packets, and the like. If theterminal that has received the upload of information is not a terminaloutside the organization, then the processing shown in the flowchartterminates. On the other hand, if the terminal that has received theupload of information is a terminal outside the organization, then theprocessing advances to step S603. In the example described above, theupload destination terminal is a server (terminal) outside theorganization.

In step S603, it is determined whether or not there is a pluralityterminals inside the organization that have conducted information uploadto the upload source terminal. The correlation analysis unit 258determines whether or not the terminal which has conducted informationupload in the currently detected communication in the exploitedinformation upload phase P7 (node 90 b in the example described above)has, in the past, received information upload (communication in theexploited information upload phase P7) from a plurality of terminalsinside the organization (nodes 90 a, 90 c, 90 d, for example). Thisdetermination is carried out by exploring the information recorded instep S601, when the processing relating to the flowchart has beenexecuted in the past.

In other words, if the phase P7 currently specified in relation to theupload source terminal (node 90 b) in which a communication has beendetected is the same as the phase specified in the past in relation to aplurality of terminals inside the organization (for example, nodes 90 a,90 c, 90 d), then the correlation analysis unit 258 determines whetheror not these terminals are carrying out activities cooperatively, bymaking a correlation analysis in respect of these communications. If itis determined that there is not a plurality of terminals in theorganization that have conducted information upload, then the processingshown in the flowchart is terminated. On the other hand, if it isdetermined that there is a plurality of terminals inside theorganization that have conducted information upload, then the processingadvances to step S604.

In step S604, the terminal which has currently conducted an upload isinferred to be a terminal having a “role of collecting and uploadingexploited information”, and the inference result is recorded. In stepS603, if it is determined that there is a plurality of terminals insidethe organization that have conducted information upload to the uploadsource terminal, then the role estimation unit 259 infers that theupload source terminal (for example, node 90 b) is a terminal that hasbeen given a role of collecting information from inside the organizationand sending the information to a server inside the organization, inorder to delay discovery by suppressing the communication amount withthe outside of the organization, and records the terminal information ofthis terminal. Subsequently, the processing indicated in the flowchartis terminated.

According to the correlation analysis for role estimation describedabove, by monitoring the communications inside the organization, it ispossible to estimate the “role” inside the organization of a terminalthat has been infected with malware, and moreover it is possible tocarry out communication control corresponding to the estimated “role”.For example, in the case of a terminal which possibly has a role ofuploading information, it is possible to select a countermeasure such asblocking communications, even at a stage where there is littlepossibility of malware activity. Furthermore, when a plurality ofinfected terminals are detected, it is also possible to determinecountermeasures for a security incident, by carrying out an analysisthat prioritizes terminals which have a high degree of threat inrelation to the “role” of the infected terminal.

<Blocking of Communications>

As stated above, the communication blocking unit 22 blocks acommunication by a terminal that has been determined to be carrying outunauthorized activity. Here, when the malware behavior detection enginedetects that a terminal inside the organization has been infected withmalware or when the role of a terminal inside the organization has beenestimated by the malware behavior detection engine, the communicationblocking unit 22 may also identify a communication destination relatingto unauthorized activity by the terminal based on a combination ofcommunication patterns that have led to the malware detection, and blockcommunication with said communication destination from a terminal insidethe organization. Here, the communication destination relating tounauthorized activity by the terminal is, for example, a malwaredownload source, a C&C server transmitting a command to malware, anupload server forwarding espionage activity results, or the like.Furthermore, when blocking communication from the terminal in theorganization to the communication destination, it is also possible toblock communication regardless of whether or not it has been determinedthat the terminal inside the organization is infected with malware. Morespecifically, when a determination of malware infection or estimation ofa role has been made, the communication blocking unit 22 controls accessof a communication from a terminal inside the organization (including aterminal that is not infected with malware), to an address to whichmalware has been communicated (protocol, port number, URI, etc.), (byblocking, discarding or changing the destination of the communication).

The communication destination that is the object of blocking is aterminal that has transmitted malware and/or malicious content, etc. toa terminal of which the role has been estimated, in order for theterminal to perform that role, or an external server with which theterminal of which the role has been estimated communicates in order toperform that role. For example,

1. If a communication pattern in the infiltration phase P1 is detected,the connection destination from the terminal inside the organization maybe a site which carries out processing that is a trigger for infectionprepared by the attacker;2. If a communication pattern in the execution file download phase P4 isdetected, then the connection destination from the terminal inside theorganization may be a device in which malware is stored;3. If a communication pattern in the C&C server exploration phase P5 orC&C server communication phase P6 is detected, then the connectiondestination from the terminal inside the organization may be a devicewhich issues a command to malware running on the terminal inside theorganization; and4. If a communication pattern in the exploited information upload phaseP7 is detected, then the connection destination from the terminal insidethe organization may be a device in which the malware stores theexploited information.

Therefore, the communication blocking unit 22 blocks communications tothese connection destinations.

According to the system disclosed in the present embodiment, in thisway, by blocking communications to a device in question, includingcommunications from devices that are not infected with malware,depending on the role relating to a communication that is determined tobe malware activity, in accordance with a blocking policy that isdefined previously for each role, the spread of damage can be preventedby blocking dangerous communications, and the behavior of the malwarethat has infiltrated can be subdued at an early stage.

Furthermore, the network monitoring apparatus 20 may inform anadministrator of a communication destination relating to unauthorizedactivity identified by the process described above (for example, amalware download source, a C&C server which transmits a command tomalware, an upload server which forwards espionage activity results, andso on).

<Variations>

In the embodiment described above, an example is given in which thenetwork monitoring apparatus 20 operates in a passive mode of acquiringpackets or frames, etc. which are sent and received by a node 90, bybeing connected to a monitoring port (mirror port) of a switch orrouter, and the network monitoring apparatus 20 does not transfer theacquired packets (see FIG. 1). However, the network configurationillustrated in the embodiment given above is one example of implementingthe present disclosure, and other network configurations may be employedin implementing the disclosure.

For example, even in a case where the network monitoring apparatus 20 isnot connected to the monitoring port (mirror port), and is simplyconnected to a network segment 2, it is possible to acquire the packetsand frames, etc. sent and received by the node 90, by acquiring all ofthe frames flowing through the network segment 2, including those whichare not directed to the MAC address of the network monitoring apparatus20. In this case also, the network monitoring apparatus 20 operates inpassive mode. Furthermore, for example, the network monitoring apparatus20 may acquire passing packets and frames, etc., by being connectedbetween the switch or router of the network segment 2 and another switchor router at a higher level (see FIG. 25). In this case, the networkmonitoring apparatus 20 operates in an in-line mode for transferringthose acquired packets which do not need to be blocked. Furthermore, thenetwork monitoring apparatus 20 may also be incorporated into the routeror switch.

In the present embodiment, a case is described in which packets flowingover a network are acquired and detection is performed in real time bythe various detection engines described above, but the scope of thepresent disclosure is not limited to real-time detection. For example,it is also possible to accumulate data relating to communicationsflowing over a network, and to carry out processing by the variousdetection engines described above, on the accumulated data.

What is claimed is:
 1. An information processing apparatus, comprising:a comparison unit that compares a communication by a plurality ofterminals with a pattern held in advance; a specification unit thatspecifies a phase of activity of the terminals, in accordance with acomparison result of comparison by the comparison unit; and acorrelation analysis unit that determines whether or not a firstterminal and a second terminal included in the plurality of terminalsare carrying out activity cooperatively, by performing a correlationanalysis of communication by the first terminal and communication by thesecond terminal, when a phase specified currently or in the past inrespect of the first terminal is the same as a phase specified currentlyor in the past in respect of the second terminal.
 2. The informationprocessing apparatus according to claim 1, wherein the correlationanalysis unit determines whether or not the first terminal and thesecond terminal are carrying out activity cooperatively, by determiningthe presence or extent of continuity or relationship between thecommunication by the first terminal and the communication by the secondterminal.
 3. The information processing apparatus according to claim 1,further comprising a role estimation unit that estimates a role of theactivity in the phase of the first terminal or the second terminal whichare determined to be operating cooperatively by the correlation analysisunit.
 4. The information processing apparatus according to claim 3,further comprising a communication blocking unit that blockscommunication relating to the terminal, when a role of the terminal hasbeen estimated.
 5. The information processing apparatus according toclaim 4, wherein the communication blocking unit blocks, when a role ofthe terminal has been estimated, communication with a prescribedterminal related to the role of the terminal, regardless of whether ornot a source of communication with the prescribed terminal is infectedwith malware.
 6. The information processing apparatus according to claim5, wherein the prescribed terminal is a terminal which transmitssoftware for performing the role to the terminal, the role of which hasbeen estimated, or a terminal with which the terminal, the role of whichhas been estimated, communicates in order to perform the role.
 7. Theinformation processing apparatus according to claim 1, wherein the phaseindicates a transitional state of a prescribed activity by the terminal;and the specification unit specifies, as a phase relating to thecommunication, a phase pre-established in respect of a pattern which ismatching or similar to the communication, as the comparison result. 8.The information processing apparatus according to claim 1, furthercomprising a communication acquisition unit that acquires acommunication by a terminal connected to a network, wherein thecomparison unit compares the acquired communication with a pattern heldin advance.
 9. A method, to be executed by a computer, comprising:comparing a communication by a plurality of terminals with a patternheld in advance; specifying a phase of activity of the terminals, inaccordance with a comparison result of the comparing; and determiningwhether or not a first terminal and a second terminal included in theplurality of terminals are performing activity cooperatively, byperforming a correlation analysis of communication by the first terminaland communication by the second terminal, when a phase specifiedcurrently or in the past in respect of the first terminal is the same asa phase specified currently or in the past in respect of the secondterminal.
 10. A computer-readable non-transitory medium on which isrecorded a program, causing a computer to function as: a comparison unitthat compares a communication by a plurality of terminals with a patternheld in advance; a specification unit that specifies a phase of activityof the terminals, in accordance with a comparison result of comparisonby the comparison unit; and a correlation analysis unit that determineswhether or not a first terminal and a second terminal included in theplurality of terminals are performing activity cooperatively, byperforming a correlation analysis of communication by the first terminaland communication by the second terminal, when a phase specifiedcurrently or in the past in respect of the first terminal is the same asa phase specified currently or in the past in respect of the secondterminal.